Safety-related software development using a model-based ... - IBM
Safety-related software development using a model-based ... - IBM
Safety-related software development using a model-based ... - IBM
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Safety</strong>-<strong>related</strong> <strong>software</strong> <strong>development</strong> <strong>using</strong> a<br />
<strong>model</strong>-<strong>based</strong> testing workflow<br />
Paul Urban (purban@us.ibm.com)<br />
Senior Systems Market Manager<br />
<strong>IBM</strong> Corporation<br />
Udo Brockmeyer, PhD (Udo.Brockmeyer@btces.de)<br />
CEO<br />
BTC Embedded Systems AG<br />
Skill Level: Intermediate<br />
Date: 08 Jan 2013<br />
Developing safety-<strong>related</strong> <strong>software</strong>, where failure can result in injury or loss of<br />
life, such as in airplanes, automobiles, trains, or medical devices, requires extra<br />
care and effort. The delivery of safe code that is compliant with strict <strong>development</strong><br />
standards and guidelines such as DO-178C, DO-178B, ISO 26262, IEC 61508,<br />
or IEC 62304, can result in increased time and cost of the project. This article<br />
describes how to use the Rhapsody Reference workflow included with the <strong>IBM</strong><br />
Rational Rhapsody Kit for ISO 26262 and IEC 61508 for <strong>development</strong> of safety<strong>related</strong><br />
applications. You will learn about the Rhapsody Reference workflow, and<br />
how <strong>model</strong>-<strong>based</strong> testing with the Rational Rhapsody TestConductor Add On can<br />
be used to verify the <strong>model</strong> and the generated code. It reduces the time to deliver<br />
high-quality <strong>software</strong> yet still complies with safety standards.<br />
Challenges of safety-<strong>related</strong> <strong>software</strong><br />
Embedded <strong>software</strong> is increasingly at the heart of today's innovative products. It's<br />
key in defining the functionality and controlling the electrical and mechanical systems<br />
in the products we rely on every day. In airplanes, automobiles, trains, or medical<br />
devices, for example, failure can result in injury or loss of life. Extra care and effort<br />
is required to ensure the safe operation of the system for the safety of users and to<br />
avoid costly product recalls.<br />
For code where safety is critical, companies must comply with strict <strong>development</strong><br />
standards and guidelines, such as DO-178C and DO-178B for commercial avionics,<br />
ISO 26262 for automobiles, IEC 62304 for medical devices, or IEC 61508 for general<br />
functional safety. It is each company's responsibility to produce evidence that they<br />
follow good <strong>development</strong> processes, such as traceability from requirements to<br />
© Copyright <strong>IBM</strong> Corporation 2013 Trademarks<br />
<strong>Safety</strong>-<strong>related</strong> <strong>software</strong> <strong>development</strong> <strong>using</strong> a <strong>model</strong><strong>based</strong><br />
testing workflow<br />
Page 1 of 13
developerWorks® ibm.com/developerWorks/<br />
implementation, sufficient testing, and that their tools do not introduce errors in the<br />
product. The extra time and testing that are necessary to verify that the <strong>software</strong><br />
complies with safety requirements can significantly increase <strong>development</strong> time and<br />
cost.<br />
Automating testing with <strong>model</strong>-<strong>based</strong> testing<br />
With <strong>model</strong>-<strong>based</strong> testing, you can be capture test cases graphically. This creates<br />
expressive test cases that are easier to understand and communicate across the<br />
<strong>development</strong> team. The test cases can be traced to requirements, and the impact of<br />
requirement changes can be understood easily. The <strong>IBM</strong>® Rational® Rhapsody®<br />
TestConductor Add On adds <strong>model</strong>-<strong>based</strong> testing capabilities that are <strong>based</strong> on<br />
the UML Testing Profile to the Rational Rhapsody Developer, Rational Rhapsody<br />
Designer for Systems Engineers, or Rational Rhapsody Architect for Software<br />
editions (see the Resources section for links to the product overview and Evaluate<br />
pages). The testing profile tailors the <strong>development</strong> environment for testing by adding<br />
concepts such as test architectures and test behaviors into UML. Test architectures<br />
extend the existing UML 2.0 structural concepts to describe the test elements that are<br />
involved and their relationships. Similarly, the test behavior extends the existing UML<br />
2.0 behavioral concepts to encompass all observations and activities during the test.<br />
The Rhapsody TestConductor Add On can automatically create test architectures for<br />
the system under test. Tests cases can be graphically created <strong>using</strong> UML sequence<br />
diagrams, state charts, or flowcharts. The graphical representation of the test cases<br />
allows for better communication of the tests to aid the understanding of the behavior<br />
of the design. The tests can be executed and results monitored to automate unit<br />
and regression testing. By testing earlier in the <strong>development</strong> process, at the design<br />
<strong>model</strong> stage, quality assurance managers and <strong>software</strong> engineers can efficiently and<br />
effectively verify designs with respect to requirements to identify problems sooner.<br />
Benefits of <strong>model</strong>-<strong>based</strong> testing in safety-<strong>related</strong><br />
<strong>development</strong><br />
For safety-<strong>related</strong> <strong>software</strong>, it is mandatory to have full traceability from requirements<br />
to <strong>software</strong> architecture to code. Additionally, traceability from requirements to test<br />
cases that check the correctness of requirements against the developed <strong>software</strong> is<br />
required. Implementing elements such as a test architecture or test cases as <strong>model</strong>level<br />
concepts allows bidirectional traceability to be realized directly at the <strong>model</strong><br />
level. This enables automated analysis of both requirements coverage and structural<br />
coverage of <strong>model</strong> and code. Additionally, when test cases are specified graphically<br />
by <strong>using</strong> notations such as UML sequence diagrams or state machines, verification<br />
is easier and more efficient than it is for traditional, code-centric test cases. A <strong>model</strong><strong>based</strong><br />
approach allows the <strong>development</strong> of both design artifacts and test artifacts in a<br />
unified framework. Therefore, it adds agility to the <strong>development</strong> and test process, and<br />
that improves efficiency and lowers cost in comparison to processes with separate<br />
<strong>development</strong> and test phases. <strong>IBM</strong> Rational Rhapsody TestConductor Add On<br />
<strong>Safety</strong>-<strong>related</strong> <strong>software</strong> <strong>development</strong> <strong>using</strong> a <strong>model</strong><strong>based</strong><br />
testing workflow<br />
Page 2 of 13
ibm.com/developerWorks/ developerWorks®<br />
automates many of the testing activities, including creation of test architectures<br />
and execution of test cases. Therefore, testers can focus on the correctness and<br />
completeness of their test cases rather than spending time on tedious and errorprone<br />
tasks, such as creating test harnesses. Model-<strong>based</strong> test architectures and<br />
test cases are easier to maintain than traditional test scripting languages, because of<br />
their graphical nature and explicit documentation.<br />
Overview of the Reference workflow with <strong>model</strong>-<strong>based</strong><br />
testing<br />
The Rational Rhapsody Reference Workflow (see Resources) describes an approach<br />
for <strong>model</strong>-<strong>based</strong> <strong>development</strong>, including automatic code generation and <strong>model</strong>-<strong>based</strong><br />
testing for safety-<strong>related</strong> <strong>software</strong> <strong>development</strong>. Figure 1 shows the major activities in<br />
this reference workflow. The upper part of the workflow describes activities to design<br />
and implement the safety-<strong>related</strong> <strong>software</strong>. The lower part of the workflow describes<br />
activities to verify the <strong>software</strong>.<br />
The approach addresses design and implementation together with appropriate test<br />
and verification. Textual requirements guide the <strong>development</strong> of a formal UML/SysML<br />
<strong>model</strong>, which is then is translated to code by <strong>using</strong> code generation. Both refinement<br />
steps are accompanied with appropriate guidelines and checks.<br />
The refinement step from textual requirements to a design <strong>model</strong> ready for code<br />
generation is verified by performing systematic requirements-<strong>based</strong> testing on the<br />
<strong>model</strong> level by leveraging <strong>model</strong> simulation, <strong>using</strong> <strong>IBM</strong> Rational Rhapsody animation.<br />
This is also called Model-in-the-Loop (MiL) testing. The generated code can be<br />
verified on a host computer by executing the same set of test cases used during MiL,<br />
but without including Rational Rhapsody animation. This is also called Software-inthe-Loop<br />
(SiL) testing. An automated equivalence check of the test results (backto-back<br />
testing) between MiL and SiL is performed to verify the results. This can<br />
be complemented by executing the set of tests on the target processor, also called<br />
Processor-in-the-Loop (PiL) testing. Test execution on <strong>model</strong> and code provides<br />
structural coverage measurement to assess the completeness of the tests and<br />
avoid including unintended functionality. Requirements coverage is measured during<br />
execution of the test cases.<br />
<strong>Safety</strong>-<strong>related</strong> <strong>software</strong> <strong>development</strong> <strong>using</strong> a <strong>model</strong><strong>based</strong><br />
testing workflow<br />
Page 3 of 13
developerWorks® ibm.com/developerWorks/<br />
Figure 1. Activities of the <strong>IBM</strong> Rational Rhapsody Reference workflow<br />
The first activity in the workflow is to translate given requirements into an executable<br />
<strong>model</strong> by <strong>using</strong> appropriate <strong>model</strong>ing guidelines. Model-<strong>based</strong> tests are then<br />
added to ensure that the <strong>model</strong> indeed correctly captures the requirements.<br />
Coverage metrics (requirements coverage and <strong>model</strong> coverage) can measure the<br />
completeness of the <strong>model</strong>-<strong>based</strong> test suite. Code generation is used to generate<br />
an implementation from the <strong>model</strong>. Back-to-back testing, or equivalence testing,<br />
between the <strong>model</strong> and code constitutes the key element for code verification.<br />
Running a test suite on both levels verifies that the <strong>model</strong> and code show the same<br />
behavior. Code coverage metrics are used to ensure completeness of the test suite<br />
according to the predefined code coverage criteria.<br />
Example of performing ISO 26262 verification activities<br />
<strong>using</strong> <strong>model</strong>-<strong>based</strong> testing<br />
ISO 26262-6 mentions many recommended or even highly recommended methods<br />
to perform the <strong>development</strong> and testing activities. For example, Table 1 list methods<br />
of <strong>software</strong> unit testing that are recommended by ISO 26262-6. Depending on the<br />
Automotive <strong>Safety</strong> Integrity Levels (ASIL) required for the project for ISO 26262 A to<br />
D, with D as the most critical level, you will need to use some or all of these methods<br />
to achieve compliance. These methods include requirements <strong>based</strong> test, interface<br />
test, fault injection test, resource usage test, and back-to-back comparison test.<br />
Table 1. ISO 26262-6 recommended unit testing methods for Automotive <strong>Safety</strong><br />
Integrity Levels (ASIL)<br />
Methods Automotive <strong>Safety</strong> Integrity Levels (ASIL)<br />
Requirements-<strong>based</strong><br />
test<br />
A B C D<br />
Highly recommended Highly recommended Highly recommended Highly recommended<br />
Interface test Highly recommended Highly recommended Highly recommended Highly recommended<br />
<strong>Safety</strong>-<strong>related</strong> <strong>software</strong> <strong>development</strong> <strong>using</strong> a <strong>model</strong><strong>based</strong><br />
testing workflow<br />
Page 4 of 13
ibm.com/developerWorks/ developerWorks®<br />
Fault injection test Recommended Recommended Recommended Highly recommended<br />
Resource usage test Recommended Recommended Recommended Highly recommended<br />
Back-to-back test Recommended Recommended Highly Recommended Highly recommended<br />
Requirements-<strong>based</strong> testing is highly recommended for ASIL A to D. In other words,<br />
requirements-<strong>based</strong> testing is mandatory. Requirements <strong>based</strong> testing is hence an<br />
important verification activity in the Rational Rhapsody Reference workflow, too.<br />
Figure 2. Performing requirements-<strong>based</strong> testing with the Rational Rhapsody<br />
TestConductor Add On<br />
During requirements-<strong>based</strong> testing, you need to systematically verify whether the<br />
system under test (SUT) behaves as specified in the requirements defined for it. For<br />
each requirement one or more test cases must be defined that check the behavior<br />
of the SUT. <strong>IBM</strong> Rational Rhapsody offers four different ways to specify the behavior<br />
of test cases: sequence diagrams, statecharts, activity diagrams, and plain code.<br />
Depending on the requirement to be checked, one of these formalisms might be<br />
more suitable than others. For example, suppose that the SUT is a <strong>model</strong> of a<br />
stopwatch. This is one of the requirements of the stopwatch:<br />
"REQ_INIT: After starting the stopwatch, the stopwatch shall display 0<br />
minutes and 0 seconds (0:0)".<br />
To verify and test this requirement with <strong>IBM</strong> Rational Rhapsody, you can create a<br />
sequence diagram test, as depicted in Figure 3. First, this input is sent to the SUT:<br />
evPressKey(KeyVal=1)<br />
This input means that the stopwatch is started. As the expected reaction, the<br />
sequence diagram specifies that the SUT shall emit this event:<br />
evShow(m=0,s=0,b=FALSE)<br />
<strong>Safety</strong>-<strong>related</strong> <strong>software</strong> <strong>development</strong> <strong>using</strong> a <strong>model</strong><strong>based</strong><br />
testing workflow<br />
Page 5 of 13
developerWorks® ibm.com/developerWorks/<br />
This means that the stopwatch shall display time as 0:0.<br />
Figure 3. Defining the behavior of a test case with a sequence diagram<br />
After the behavior of the test case is defined, the next step is to link the test case to<br />
the requirement to be tested by adding a TestObjective to the test case that points<br />
to the requirement. The test objective explicitly links the test case to the requirement<br />
(see Figure 4) for traceability between the requirement and the test case.<br />
Figure 4. Linking a test case to a requirement with a TestObjective element<br />
After defining the test case and linking it to a requirement, the next activity is to<br />
execute the test case and compute the test result (Figure 5). The test execution<br />
<strong>Safety</strong>-<strong>related</strong> <strong>software</strong> <strong>development</strong> <strong>using</strong> a <strong>model</strong><strong>based</strong><br />
testing workflow<br />
Page 6 of 13
ibm.com/developerWorks/ developerWorks®<br />
report contains information about the test execution, such as the test execution time<br />
and the test result.<br />
Figure 5. Test execution window (bottom left) and test report (right).<br />
In the same way, test cases for all requirements need to be developed. This process<br />
is iterated until all requirements have been covered by appropriate test cases.<br />
ISO 26262-6 also demands determination of test coverage of the requirements to<br />
assess whether the requirements have been completely tested. The assessment<br />
of which requirements are covered by which test cases, and the reverse, is another<br />
activity that is described in the Rhapsody Reference workflow, as depicted in Figure<br />
6.<br />
<strong>Safety</strong>-<strong>related</strong> <strong>software</strong> <strong>development</strong> <strong>using</strong> a <strong>model</strong><strong>based</strong><br />
testing workflow<br />
Page 7 of 13
developerWorks® ibm.com/developerWorks/<br />
Figure 6. Assessment of requirements coverage of test cases<br />
Rational Rhapsody provides several mechanisms to assess the actual requirements<br />
coverage. Figure 7 shows how you can use a Test Requirements Matrix to<br />
automatically visualize the relationship between requirements and test cases. The<br />
requirements are shown on the horizontal axis, and the test cases are shown on the<br />
vertical axis. If a test case is linked to a requirement by a test objective, a yellow test<br />
objective symbol is shown at the intersection point within the matrix. By looking at the<br />
test requirements matrix, you can see which requirements are covered by which test<br />
cases and which requirements are not. As this matrix shows, test cases are defined<br />
for all requirements, and the execution of all of these test cases was successful.<br />
<strong>Safety</strong>-<strong>related</strong> <strong>software</strong> <strong>development</strong> <strong>using</strong> a <strong>model</strong><strong>based</strong><br />
testing workflow<br />
Page 8 of 13
ibm.com/developerWorks/ developerWorks®<br />
Figure 7. Tables show full requirements coverage of test cases and results of<br />
the test execution<br />
As you can see, the <strong>development</strong> and verification activities of the Rational Rhapsody<br />
Reference workflow can be mapped directly to the recommended methods and<br />
activities of the ISO 26262 process. This article has described the mapping for<br />
requirements-<strong>based</strong> testing activities and test requirement coverage. The remaining<br />
reference workflow activities, such as back-to-back testing and structural coverage<br />
measurement, are also mapped to ISO 26262 activities. Similar Rational Rhapsody<br />
tool support and automation exist to aid you in efficient use of these capabilities.<br />
A similar mapping of the Rational Rhapsody Reference workflow <strong>development</strong><br />
and verification activities can be defined for other standards, such as DO-178B,<br />
DO-178C, IEC 61508, or IEC 62304.<br />
Summary<br />
Delivering safe systems requires following a rigorous process, with considerable time<br />
spent verifying that the design is meeting requirements. Using the Rational Rhapsody<br />
Reference workflow enables you to automate <strong>development</strong> of designs that must<br />
comply with safety standards.<br />
The reference workflow provides several benefits for faster <strong>development</strong> of safetycritical<br />
systems:<br />
<strong>Safety</strong>-<strong>related</strong> <strong>software</strong> <strong>development</strong> <strong>using</strong> a <strong>model</strong><strong>based</strong><br />
testing workflow<br />
Page 9 of 13
developerWorks® ibm.com/developerWorks/<br />
• The concrete guidance on how to perform some of the recommended activities<br />
of ISO 26262 and IEC 61508 can also be applied to other standards.<br />
• Traceability to requirements helps ensure that the design is meeting<br />
requirements and helps in understanding the impact of a change in<br />
requirements.<br />
• Rational Rhapsody tools enable you to effectively perform these activities during<br />
your project work to maximize product quality and safety.<br />
• The high degree of automation provided with Rational Rhapsody and Rational<br />
Rhapsody TestConductor Add On enables you to achieve your quality<br />
objectives within their given time and budget<br />
<strong>Safety</strong>-<strong>related</strong> <strong>software</strong> <strong>development</strong> <strong>using</strong> a <strong>model</strong><strong>based</strong><br />
testing workflow<br />
Page 10 of 13
ibm.com/developerWorks/ developerWorks®<br />
Resources<br />
Learn<br />
• Explore information <strong>related</strong> to this article:<br />
• <strong>IBM</strong> Rational Rhapsody Kit for ISO 26262 and IEC 61508, which<br />
documents Rational Rhapsody Reference Workflow and includes the TuV<br />
SUD certificate<br />
• <strong>IBM</strong> Rational Rhapsody Reference Workflow Guide (PDF download)<br />
• Recorded demonstration: Rhapsody Enlightenment: Test Driven<br />
Development with Rhapsody TestConductor<br />
• Rational systems white paper: Linking <strong>model</strong>-driven <strong>software</strong> testing to<br />
quality management<br />
• <strong>IBM</strong> Rational Solutions for Automotive Functional <strong>Safety</strong><br />
• Learn more about this <strong>software</strong> for collaborative, <strong>model</strong>-driven <strong>development</strong> for<br />
embedded systems:<br />
• Start with the Rational Rhapsody product line overview and the Rational<br />
Rhapsody page and the <strong>IBM</strong> Rational Rhapsody wiki on<br />
• <strong>IBM</strong> developerWorks.<br />
• Also see the Rational Rhapsody, version 8.0 information center.<br />
• Explore the Rational <strong>software</strong> area on developerWorks for technical<br />
resources, best practices, and information about Rational collaborative<br />
and integrated solutions for <strong>software</strong> and systems delivery.<br />
• Check the other web pages cited in this article:<br />
• OMG UML Testing Profile<br />
• ISO 26262-6:2011 Road vehicles – Functional safety – Part 6: Product<br />
<strong>development</strong> at the <strong>software</strong> level<br />
• Stay current with developerWorks technical events and webcasts focused on a<br />
variety of <strong>IBM</strong> products and IT industry topics.<br />
• Attend a free developerWorks Live! briefing to get up-to-speed quickly on<br />
<strong>IBM</strong> products and tools, as well as IT industry trends.<br />
• Watch developerWorks on-demand demos, ranging from product<br />
installation and setup demos for beginners to advanced functionality for<br />
experienced developers.<br />
• Improve your skills. Check the Rational training and certification catalog, which<br />
includes many types of courses on a wide range of topics. You can take some<br />
of them anywhere, anytime, and many of the Getting Started ones are free.<br />
Get products and technologies<br />
• Take an online tour of Rational Rhapsody with an online trial or download<br />
Rational Rhapsody or special editions to Evaluate, free of charge, for 30 days.<br />
• Learn more about the Design Management project on Jazz.net.<br />
Discuss<br />
<strong>Safety</strong>-<strong>related</strong> <strong>software</strong> <strong>development</strong> <strong>using</strong> a <strong>model</strong><strong>based</strong><br />
testing workflow<br />
Page 11 of 13
developerWorks® ibm.com/developerWorks/<br />
• Join the discussion in the Rational Rhapsody forum.<br />
• Get connected with your peers and keep up on the latest information in the<br />
Rational community.<br />
• Rate or review Rational <strong>software</strong>. It's quick and easy.<br />
• Share your knowledge and help others who use Rational <strong>software</strong> by writing a<br />
developerWorks article. Find out what makes a good developerWorks article<br />
and how to proceed.<br />
• Follow Rational <strong>software</strong> on Facebook, Twitter (@ibmrational), and YouTube,<br />
and add your comments and requests.<br />
• Ask and answer questions and increase your expertise when you get involved<br />
in the Rational forums, cafés, and wikis.<br />
<strong>Safety</strong>-<strong>related</strong> <strong>software</strong> <strong>development</strong> <strong>using</strong> a <strong>model</strong><strong>based</strong><br />
testing workflow<br />
Page 12 of 13
ibm.com/developerWorks/ developerWorks®<br />
About the authors<br />
Paul Urban<br />
Udo Brockmeyer, PhD<br />
Paul Urban has more than 25 years experience in developing systems,<br />
<strong>software</strong>, and hardware in the embedded and real-time systems<br />
industry. He is a senior systems market manager for <strong>IBM</strong> Rational<br />
<strong>software</strong> and has worked with Rational <strong>software</strong> in various roles since<br />
1995.<br />
Dr. Udo Brockmeyer earned a degree in computer science from the<br />
University of Oldenburg and in 1995. He then worked on formal methods<br />
in the Research Institute OFFIS e.V. and achieved his doctorate in<br />
computer science in 1999. In 2001, he moved to OSC - Embedded<br />
Systems AG, where he was a project leader. He has been CEO of BTC<br />
Embedded Systems AG since 2005.<br />
© Copyright <strong>IBM</strong> Corporation 2013<br />
(www.ibm.com/legal/copytrade.shtml)<br />
Trademarks<br />
(www.ibm.com/developerworks/ibm/trademarks/)<br />
<strong>Safety</strong>-<strong>related</strong> <strong>software</strong> <strong>development</strong> <strong>using</strong> a <strong>model</strong><strong>based</strong><br />
testing workflow<br />
Page 13 of 13